permissive interfaces tom henzinger ranjit jhala rupak majumdar

Download Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar

Post on 19-Dec-2015

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • Permissive Interfaces Tom Henzinger Ranjit Jhala Rupak Majumdar
  • Slide 2
  • A Problem with Program Analysis Whole Program Analysis not always possible Availability: Client code missing Scalability: Whole system too large Client Library
  • Slide 3
  • Modular Program Analysis Find interface for Library Use interface to verify client Client Library
  • Slide 4
  • Modular Program Analysis Availability: Interface independent of Client Scalability: Interface small, abstraction of Library Library Interface
  • Slide 5
  • What is an Interface ? Interface : Constraints on legal uses of API API Calls after which library is in a legal state Library LegalError Interface Library StatesAPI
  • Slide 6
  • Library LegalError Example Legal e=0 Error e!=0 Library StatesInterfaceAPI n0n0 n1n1 acq rel n2n2 acq read rel Safe: Interface Legal Call Sequences Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:= m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:= m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:= m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:= m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;}
  • Slide 7
  • n0n0 n1n1 acq / x rel / x n2n2 acq / x write read write read rel / x n0n0 n1n1 acq rel n2n2 acq read rel Safety Not Enough! InterfaceAPI Disallows calls to write Useless for Modular Program Analysis Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} relx(){ a:=NULL; x:=0;} relx(){ a:=NULL; x:=0;}
  • Slide 8
  • Permissive Interfaces InterfaceAPI n0n0 n1n1 acq n3n3 read rel/x Permissive: Legal Call Sequences Interface Modular Analysis: Safe + Permissive Interfaces Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} relx(){ a:=NULL; x:=0;} relx(){ a:=NULL; x:=0;} n2n2 acqx relx write read
  • Slide 9
  • Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments
  • Slide 10
  • Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments
  • Slide 11
  • Typestate Interpretations n0n0 n1n1 acq rel n2n2 acq read rel Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states a=0 a0a0 e0e0 (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0
  • Slide 12
  • Typestate Interpretations acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} n0n0 n1n1 acq n2n2 a=0 a0a0 e0e0 (P2) Every edge: Post(r, f ) r n n f r r
  • Slide 13
  • Typestate Interpretations n0n0 n1n1 n2n2 a=0 a0a0 e0e0 rel read read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} (P2) Every edge: Post(r, f ) r n n f r r
  • Slide 14
  • Typestate Interpretations n0n0 n1n1 n2n2 a=0 a0a0 e0e0 rel rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} (P2) Every edge: Post(r, f ) r n n f r r
  • Slide 15
  • Typestate Interpretations n0n0 n1n1 acq rel n2n2 acq read rel Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states a=0 a0a0 e0e0 (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0
  • Slide 16
  • Safe Interpretations Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P3) Every legal typestate: r : Err n r n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0
  • Slide 17
  • Safe Interpretations Theorem: Safe Interpretation implies Safe Interface (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P3) Every legal typestate: r : Err n r n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0
  • Slide 18
  • Permissive Interpretations Interface is a Typestate System - Abstraction of librarys internal state Typestate Interpretation - Overapprox possible internal states (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P4) Every illegal typestate: r Err n r n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0
  • Slide 19
  • Permissive Interpretations (P2) Every edge: Post(r, f ) r n n f r r (P1) Initial states in r 0 n0n0 r0r0 (P4) Every illegal typestate: r Err n r Theorem: Permissive Interpretation implies Permissive Interface n0n0 n1n1 acq rel n2n2 acq read rel a=0 a0a0 e0e0
  • Slide 20
  • Sanity Check API n0n0 n1n1 acq /x rel /x n2n2 acq/x write read write read rel/x Q: Why not a permissive interface ? Static e=0, a=NULL, x=0; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} acqx(){ if(a==NULL){ a:=m_new(); x:=1; } else e:=1;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} relx(){ a:=NULL; x:=0;} relx(){ a:=NULL; x:=0;} a=0 a0a0 e0e0
  • Slide 21
  • Sanity Check n1n1 n2n2 write write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} a0a0 e0e0 A: (P2) fails! Not an Interpretation (P2) Every edge: Post(r, f ) r n n f r r Q: Why not a permissive interface ? e 0 e=0
  • Slide 22
  • Sanity Check n1n1 n2n2 write write(){ if(x!=0){ m_wr(a); } else e:=1; return;} write(){ if(x!=0){ m_wr(a); } else e:=1; return;} a0a0 e 0 e=0 (P4) Every illegal typestate: r Err n r A: (P4) fails! Not Permissive Interpretation Q: Why not a permissive interface ?
  • Slide 23
  • Plan 1. Motivation 2. Characterizing Safe, Permissive Interfaces 3. Computing Safe, Permissive Interfaces 4. Extensions 5. Experiments
  • Slide 24
  • Computing Interfaces Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. Problem B: Interface Reconstruction Given Library, abstraction , Reconstruct a safe, permissive interface I. Problem C: Interface Inference Given Library, Infer a safe, permissive interface I.
  • Slide 25
  • A. Interface Checking Check Safe, Permissive independently Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive.
  • Slide 26
  • A. Interface Checking [Safe] Interface n0n0 acq rel n2n2 acq read rel Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} Problem A: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. Library n1n1
  • Slide 27
  • A. Interface Checking [Safe] Interface Client Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} Idea: Analyze Interface Client + Library Verify assertion: Client in legal location ) Library in legal state Library n0n0 acq rel n2n2 acq read rel n1n1 Legal e=0 Error e!=0 Library States n
  • Slide 28
  • B. Interface Checking [Permissive] Interface n0n0 acq rel n2n2 acq read rel Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} acq(){ if(a==NULL){ a:=m_new(); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} read(){ if(a!=NULL){ a:=m_rd(a); } else e:=1; return;} rel(){ a:=NULL; return;} rel(){ a:=NULL; return;} Problem B: Interface Checking Given Library, candidate interface I, abstraction Check if I is safe, permissive. Library n1n1
  • Slide 29
  • B. Interface Checking [Permissive] Interface Client Static e=0; Static a=NULL; Static e=0; Static a=NULL; acq(){ if(a==NULL

Recommended

View more >